Lawless Oz bucks trend on data breaches

A study into data breaches has found that the cost of compromised records to organisations is decreasing in the US, but increasing in Australia, likely due to a lack of data breach notification laws, according to Symantec director of security and compliance Sean Kopelke.

A study into data breaches has found that the cost of compromised records to organisations is decreasing in the US, but increasing in Australia, likely due to a lack of data breach notification laws, according to Symantec director of security and compliance Sean Kopelke.

The study was sponsored by Symantec and conducted by the Ponemon Institute earlier this year. It covered 22 Australian organisations and, in order not to skew results, did not consider the effects of so-called "super breaches" that had an international effect, such as the Sony PlayStation breach.

The "Cost of Data Breach Study: Australia" report found that the cost per data breach increased from $128 per lost or stolen record in 2010 to $138 last year. In contrast, an earlier report by Ponemon, found that in the US, had declined from $214 per record in 2010 to $194 last year.

Speaking to ZDNet Australia, Kopelke said that the main reason for Australia bucking the trend came down to the lack of data breach notification laws in Australia, while the US has a stricter stance, which had forced its businesses to become more proactive and react faster.

"[Laws in the US] have encouraged companies to make sure ... that they put policies, processes and technology in place to help reduce and minimise the risk of a data breach in the first place. Because of that, they will also put in to place a mitigation strategy," Kopelke said.

In Australia, Kopelke said Australian organisations were yet to take a similar approach to being more prepared and were spending their money in the wrong places.

"[The US situation is] actually the complete opposite to what we're seeing in Australia. Most organisations obviously never want information to leak from their company, but [Australia] still doesn't have any data breach notification laws or regulations in place, so a lot of organisations are actually spending a lot more money post-breach ... than they are investing the time in actually figuring out how [to] make sure this doesn't happen in the first place. When they get that right, the post-costs go down."

Furthermore, Kopelke said that Australian organisations still weren't responding to data breaches well by wasting money in failing to respond to the issue in a timely manner or by not having the right expertise in place to help get back on track.

"If an organisation responded to a breach within 30 days, then the average cost per record actually went down $30 from $138 down to $108. Reacting efficiently, quickly and accurately with information to your customers actually helps reduce the overall cost per record when there is a data breach."

Kopelke said that in companies that had an executive-level chief information security officer, or CISO, the average cost per record was even less — about $103. Bringing in an external consultant was seen to be the most effective, with the cost per record brought down to $93.

To make financial matters worse, the indirect costs incurred by businesses that fell victim to data breaches has increased, according to the report. These costs related to damages to reputation, diminished goodwill and the cost of retaining or acquiring new customers to offset those that had lost confidence in the company. In 2010, companies lost $690,000 to these costs; in 2011 that increased in value to $840,000.

These costs could have been even higher, but, fortunately, fewer customers are leaving companies that have experienced a data breach, according to the report.